InterviewsZero Trust

The So-Called Castle and Moat Security Model is Dead

9

Vitaliy Trifonov, the Creative Technical Director at Group-IB, says the aim of creating and implementing ZTNA is one that has entered the mainstream

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
On paper, zero-trust network architecture is the natural successor to the perimeter-based security model. The preceding model, which gives unfettered access to any user upon completion of initial verification is no longer fit for purpose, especially given the vast numbers of individuals now working in a remote or hybrid setting following the COVID-19 pandemic.

Zero Trust Network Architecture (ZTNA) as a concept has gained significant traction within the cybersecurity space, and more companies are beginning to implement this form of security infrastructure, although many so-called ZTNA solutions still only scratch the surface. Indeed, the strive towards ZTNA has played a major role in the wide-scale adoption of multi-factor authentication (MFA) as an industry standard, and the increasing utilization of technologies such as identity-aware proxies and software-defined perimeters is removing some of the user experience (UX) barriers that implementing ZTNA could create.

For zero trust to be effective, companies require a universal access control system that works seamlessly with all operating systems and software and can be connected and integrated anywhere. Companies must also ensure they protect against any hidden backdoors and potential supply chain attacks by regularly verifying and auditing their processes and procedures.

Do you believe that technologies that support zero trust are moving into the mainstream?
The aim of creating and implementing ZTNA is one that has entered the mainstream. However, we are still a long way from a one-size-fits-all solution that will allow businesses and organizations to establish ZTNA on their networks. Technologies that embrace ZT principles are becoming more widely available on the market, and a large number of cloud service providers have crafted products containing security features that adhere to the tenets of ZT. That being said, if companies are truly committed to implementing ZTNA, piecemeal solutions won’t work. Companies and organizations must take an all-in approach for ZT to become an industry benchmark.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
The so-called castle and moat security model is dead, and it’s not coming back. Castles (companies) are now too big, their digital infrastructure is so vast, and their attack perimeter is so large, that it’s now impossible to build a moat (security perimeter) around them. According to a recent FlexJobs survey, 87% of workers are looking for jobs that will allow them to work in a remote or hybrid environment, creating endpoint security risks as individuals use personal devices for work purposes. Furthermore, password policies, firewalls, and VPNs are becoming less reliable, given that they are often based on implicit trust.

Cybercriminals, who have shown time and again that they are highly adaptive and opportunistic, are incredibly skilled at exploiting the implicit trust contained in traditional defensive measures. With ZTNA, the new perimeter starts with each endpoint. Instead of relying on IP addresses in isolation, networks with ZTNA can authenticate resources and use them individually. Microsegmentation, a central concept of establishing ZTNA, is also vital to reducing attack surfaces and hindering attackers from moving laterally across networks. In short, ZT can make companies more resilient and responsive to new attacks.

How can companies get started with zero trust?
Firstly, companies must start from the concept that ZT is a system where every person, device, file, and application is considered to be a threat until properly verified. Additionally, to establish a ZT framework, companies must adhere to three core principles: that authorization may be granted only after explicit verification, that companies must enforce a least-privileged model and limit access to a need-to-know basis, and that all traffic must be continuously inspected and logged to verify user behaviour.

ZT policy, like any cybersecurity plan, must be tailored to a business or organization’s interests and needs. For example, the introduction of multiple new solutions to meet ZT goals could in fact create new security gaps that threat actors could exploit. At Group-IB, our audit and consulting team can provide companies with all they need to evaluate their infrastructures and processes, and give them the required information to understand what their current security risks are, and how to mitigate them. A thorough audit can be an invaluable tool for companies looking to implement ZT, as it can provide a much-needed reality check along with an implementation action plan.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero Trust may be the gold standard for cybersecurity, but it is by no means a silver bullet. Additional measures and solutions will always be required to complement any Zero Trust architecture. This includes services such as Managed Extended Detection and Response and data loss prevention solutions.

Organizations should ensure that they are up-to-date with the latest Threat Intelligence research produced by vendors, and they should conduct regular security checks, including audits, compromise assessments, and penetration testing exercises to ensure that their security perimeter can stand strong against the threats of today and tomorrow.

What according to you are the limitations of zero trust?
One of the major limitations of Zero Trust in its current form is its complexity. Introducing ZT is often associated with the complete overhaul of any established infrastructure, making the creation of ZTNA a costly and time-consuming process that, in and itself has no guarantee of success. The human factor has and will continue, to play a crucial role in successful cyber attacks. Cybercriminals will continue to turn to social engineering ploys to gain initial access, and human error will still lead to security breaches, even if ZTNA is established.

For companies, one of the major challenges for establishing ZTNA will be ensuring that the tradeoffs in user experience are mitigated. Increased security measures can lead to increased frustrations for consumers, who may choose to turn to other services. Security should be paramount, but companies will have to ensure that their applications and services remain usable.

Prarthana Mary

Zero Trust is Already Mainstream

Previous article

Video: Presight.ai at World Police Summit 2023

Next article

You may also like

9 Comments

  1. […] ZT policy, like any cybersecurity plan, must be tailored to a business or organization’s interests and needs. For example, the introduction of multiple new solutions to meet ZT goals could in fact create new security gaps that threat actors could exploit. One of the major limitations of Zero Trust in its current form is its complexity. Link: https://futuretechmag.com/the-so-called-castle-and-moat-security-model-is-dead/ […]

  2. O software de monitoramento de telefones celulares CellSpy é uma ferramenta muito segura e completa, é a melhor escolha para o monitoramento eficaz de telefones celulares. O aplicativo pode monitorar vários tipos de mensagens, como SMS, e-mail e aplicativos de bate-papo de mensagens instantâneas, como Snapchat, Facebook, Viber e Skype. Você pode visualizar todo o conteúdo do dispositivo de destino: localização GPS, fotos, vídeos e histórico de navegação, entrada de teclado, etc.

  3. Desde que haja uma rede, a gravação remota em tempo real pode ser realizada sem instalação de hardware especial.

  4. Wow, marvelous blog format! How long have you ever been running a blog for?
    you made blogging glance easy. The overall look of your web site is wonderful,
    as smartly as the content material! You can see similar here najlepszy sklep

  5. I have been exploring for a little bit for any high-quality articles
    or blog posts in this sort of space . Exploring in Yahoo I at last stumbled upon this
    web site. Studying this information So i am satisfied to exhibit that I’ve a very just right uncanny feeling I found out exactly what I needed.
    I most definitely will make sure to do not fail to remember this website and provides it
    a look on a constant basis. I saw similar here: Ecommerce

  6. Hey there! Do you know if they make any plugins to help
    with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good success.

    If you know of any please share. Many thanks!
    You can read similar art here: Sklep internetowy

  7. It’s very interesting! If you need help, look here: ARA Agency

  8. Good day! Do you know if they make any plugins to help with
    SEO? I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good success. If you know
    of any please share. Cheers! I saw similar art here: GSA Verified List

  9. Howdy! Do you know if they make any plugins to assist with Search Engine Optimization? I’m
    trying to get my website to rank for some targeted keywords
    but I’m not seeing very good gains. If you know of any please share.
    Many thanks! I saw similar text here: Scrapebox List

Leave a reply

Your email address will not be published. Required fields are marked *

More in Interviews